Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 237483 (CVE-2008-3929) - www-apps/ampache <3.4.3 gather-messages.sh insecure temporary file creation (CVE-2008-3929)
Summary: www-apps/ampache <3.4.3 gather-messages.sh insecure temporary file creation (...
Status: RESOLVED FIXED
Alias: CVE-2008-3929
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3? [glsa]
Keywords:
Depends on:
Blocks: debian-tempfile
  Show dependency tree
 
Reported: 2008-09-12 14:01 UTC by Robert Buchholz (RETIRED)
Modified: 2008-12-23 22:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-12 14:01:31 UTC
CVE-2008-3929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3929):
  gather-messages.sh in Ampache 3.4.1 allows local users to overwrite
  arbitrary files via a symlink attack on temporary files.
Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-15 11:50:50 UTC
ampache-3.4.3 is in the tree.

Targets:

  amd64 ppc x86
Comment 2 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2008-09-17 20:16:19 UTC
amd64 stable.
Comment 3 Markus Meier gentoo-dev 2008-09-17 20:28:47 UTC
x86 stable
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-19 18:54:38 UTC
ppc stable
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-19 19:58:35 UTC
glsa decision, voting YES.
Comment 6 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-21 13:30:41 UTC
Removed ampache-3.3.3.5. Webapps done.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-22 12:37:55 UTC
YES too, request filed.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-23 22:26:37 UTC
GLSA 200812-22